Stung by two instances where Google Wallet was hacked, Google (NASDAQ:GOOG) defended its mobile payment service and claimed it is safer than using credit cards to pay for goods.
Google Wallet is a mobile payment app that communicates with smartphones equipped with near-field communication (NFC), a short-distance wireless technology. The app runs on Sprint Nexus S 4G smartphones, which users may tap against a cash register to pay for goods at some 20 retailers and restaurants.
The app, designed to let shoppers leave the wallets, cash and credit cards at home, is protected by a PIN code and the phone’s lock screen.
“People are asking if Google Wallet is safe enough for mobile phone payments,” wrote Osama Bedier, vice president of Google Wallet and payments, in a corporate blog post. “The simple answer to this question is yes.”
However, two separate security researchers last week cracked the PIN code used to secure Google Wallet.
On Feb. 9, Web security provider Zvelo found a way to execute a brute-force attack on the Google Wallet PIN code. Zvelo engineer Joshua Rubin said the Wallet-bearing smartphone needs to be rooted by the user or someone who has physical access to the device to divine the PIN code.
Google said it “strongly discourages” users from disabling the PIN code in order to gain root access to their phone because the product is not supported on rooted phones.
“That’s why, in most cases, rooting your phone will cause your Google Wallet data to be automatically wiped from the device,” Bedier wrote.
In the other attack, the SmartphoneChamp blog Feb. 10 detailed how a user who finds a lost Wallet-enabled smartphone that is not protected by a screen lock can clear the data associated with Wallet from the phone’s application settings menu.
What this does is prompt Google Wallet to reset itself and ask the user for a new PIN the next time it is launched. A user can simply create a new PIN and associate a Google PrePaid card to the app to access all previously available funds.
Bedier acknowledged this issue, saying Google temporarily disabled provisioning of prepaid cards as a precaution until Google issues a permanent fix.
He added that, as with credit cards, users who lose their phone or fear someone used them to make unauthorized payments can call Google’s toll-free assistance hotline at 855-492-5538.
“In the meantime, you can be confident that the digital wallet you carry provides defenses that plastic and leather simply don’t,” Bedier added.
This is an allusion to the notion that the more wallets stay at home, the fewer will get lost and pose security issues related to lose credit cards.
However, if researchers keep poking holes in Wallet, whether they use tricks to unlock PINs or not, the less credible Wallet’s security will seem. This will be problematic at a time when Google is fighting to expand the service and help it proliferate in commercial markets worldwide.
In general, NFC-based mobile payments are expected to boom over the next five years, though they have been slow to pick up steam here in the U.S.